Client applications protecting sensitive information typically require a user-supplied PIN to authenticate the user. However, a simple PIN might not provide sufficient security. For example, a six-digit numeric PIN at most provides 106 characters of entropy, which may be used for data security. This may be inadequate to withstand a GPU-based password cracking attack.
A PIN Validator may be used to verify that the user has entered the correct PIN. Current systems may create a PIN Validator by generating a random phrase, encrypting the random phrase with a derivative of the user-supplied PIN, and storing the original random phrase and the encrypted random phrase after hashing each of them a number of times for obfuscation. The PIN validator may be stored on the client device. However, this data security mechanism may be reversed in an offline attack in a matter of hours.
Additionally, the small amount of entropy provided by the user-supplied PIN might not be able to be used for cryptographic key derivation. Although key-stretching algorithms exist, the algorithms are not adequate for government and other regulated environments with strict security standards.